On 11/06/2017 07:06 AM, marcos valentine wrote: > Hello guys, > > > Whats is the best way to identify a possible user using a botnet with php > in the server? And if he is using GET commands for example in other server. > > Does apache logs outbound conections ? > > If it is using a file that is not malicious the clam av would not identify. This sounds like a good place to start: https://major.io/2011/03/09/strategies-for-detecting-a-compromised-linux-server/ (look for open ports connections both inbound and outbound with netstat, etc.) But, if someone has completely breached the machine and gotten root on it, they could put in fake binaries that hide ports and hide processes from 'top' (or ps, lsof). So, a look via chkrootkit or rkhunter would be needed to find that. The link for rkhunter in the article is bad .. here is the new one: http://rkhunter.sourceforge.net/ rkhunter seems to be in EPEL. chkrootkit is in fedora, it does not seem to be in EPEL.
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx https://lists.centos.org/mailman/listinfo/centos
